<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
  <head>
    <title>Lecture 1: Introduction</title>
    <meta name="generator" content="Muse">
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    
    <link rel="stylesheet" type="text/css"charset="utf-8" media="all" href="../styles/common.css"  />

    <script src="../scripts/jsMath/easy/load.js"></script>
  </head>

  <body>

    <h1>Lecture 1: Introduction
      <!-- menu start here -->
      <div class="menu">
        <div class="menuitem">
          <a href="../home/index.html">Home</a>
        </div>
        <div class="menuitem">
          <a href="../courses/index.html">Courses</a>
        </div>
        <div class="menuitem">
          <a href="../projects/index.html">Projects</a>
        </div>
        <div class="menuitem">
          <a href="../complang/index.html">CompLang</a>
        </div>
        <div class="menuitem">
          <a href="../code/index.html">CodeReading</a>
        </div>
        <div class="menuitem">
          <a href="../software/index.html">Software</a>
        </div>
        <div class="menuitem">
          <a href="../lectures/index.html">Lectures</a>
        </div>
      </div>
      <!-- menu ends here -->

    </h1>


    <!-- Page published by Emacs Muse begins here -->

<p>from <a href="http://pdos.csail.mit.edu/6.893/2009/lec/l01-intro.txt">http://pdos.csail.mit.edu/6.893/2009/lec/l01-intro.txt</a></p>

<h2>What is security?  Security goals, threat models</h2>

<h3>Terminology</h3>

<dl>
<dt><strong>trust</strong></dt>
<dd>belief that something will not be compromised/fail, often
vague</dd>
<dt><strong>trustworthy</strong></dt>
<dd>it's actually worth trusting (it won't be
compromised/fail), good thing!</dd>
<dt><strong>trusted</strong></dt>
<dd>your security depends on the security of that thing (for
better or worse), bad thing! <br>
often <strong>transitive</strong>: if you trust google, and google trusts
someone else, you might have no choice but to end up
trusting that someone too.</dd>
</dl>


<h3>Typical design goals:</h3>

<ul>
<li>reduce the amount of trusted components</li>
<li>increase the trustworthiness of components</li>
</ul>



<h2>Example threat models</h2>

<h3>Web site wants to ensure data is not misused on the client machine</h3>

<ul>
<li>worried about users ripping music, videos?</li>
<li>DRM tools: TPM hardware.  more interesting: server can't leak
password?

<blockquote>
<p class="quoted"><strong>TODO: Think deeper into the problem</strong></p>
</blockquote></li>
</ul>



<h2>Interesting examples of what goes wrong</h2>

<h3>File access control: only nickolai can read grades.txt</h3>

<ul>
<li>maybe someone else can change the editor?</li>
<li>maybe someone else can trick me into revealing grades.txt?</li>
<li>maybe someone else can trick OS into thinking grades.txt is schedule.txt?</li>
</ul>



<h2>Secure system design principles</h2>

<ul>
<li>improve trustworthiness of your TCB</li>
<li>reduce the size of the TCB (less trusted code)</li>
<li>end-to-end security (goes hand-in-hand with reducing TCB)</li>
<li>economy of mechanism</li>
<li>principle of least privilege</li>
<li>make the defaults secure</li>
<li><strong>open design</strong>

<ul>
<li>makes it clear what the threat model and assumptions are.</li>
<li><strong>hiding the design is often not practical</strong>, hard to reason about
what security you get from a secret design.</li>
</ul></li>
</ul>


<h2>Access control</h2>

<h3>Access control in Unix</h3>

<h4>what does unix get wrong from our design principles?</h4>

<ul>
<li>POLP:

<ul>
<li>root required for many things, hard to run with less priv</li>
<li>almost every interesting daemon runs with full root privileges</li>
<li>why?  because originally Unix had everything interesting in the kernel. namely, the file system was about the only thing worth protecting.</li>
</ul></li>
<li>economy of mechanism:

<ul>
<li>not really, many disparate security mechanisms</li>
<li>all focused on time sharing a Unix machine between users, little else</li>
</ul></li>
<li>reduce size of TCB:

<ul>
<li>maybe OK if your security policy is about Unix users</li>
<li>not so great if your security policy is about something else</li>
<li>we'll see next week how to build a secure application on top of Unix</li>
</ul></li>
</ul>





<!-- Page published by Emacs Muse ends here -->
<hl />
<p />
<!-- <center> -->
<!--   Updated at  -->
<!--   2010-02-27 -->
<!-- </center> -->

<script type="text/javascript">
  var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
  document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
  try {
  var pageTracker = _gat._getTracker("UA-2241833-12");
  pageTracker._trackPageview();
  } catch(err) {}</script>

</body>
</html>

